Protection Layers
Three independent systems work in concert to provide comprehensive fraud coverage at the point of payment.- Anti-Bot: Behavioral analysis and challenge-response to detect and block automated traffic.
- Anti-Card Testing: Detects rapid sequential payment attempts characteristic of stolen card validation.
- Device Fingerprint: Persistent device identity tracking to link activity across sessions and accounts.
Anti-Bot Detection
The anti-bot layer analyses dozens of passive signals during the payment session, mouse movement entropy, keystroke timing, browser environment consistency, and TLS fingerprint, to produce a bot confidence score for each checkout attempt. We also use a Cloudflare CAPTCHA as an additional layer of protection.Anti-Card Testing
Card testing attacks involve running large numbers of stolen card numbers against a payment endpoint to identify valid ones. Our system detects this pattern through velocity checks on both the user account and the device fingerprint, regardless of whether a new guest session is opened.Detection rules
CopyDevice Fingerprinting
Every checkout session generates a stable device fingerprint that persists across browser sessions, private/incognito mode, and VPN changes. This fingerprint is the primary identity used when evaluating fraud signals and enforcing blocks. ⚠Fingerprints are stored server-side only. They are never exposed to client-side JavaScript and cannot be queried or tampered with by the user.Block Escalation
When a fraud signal is triggered, the system applies a progressive block policy keyed to the device fingerprint. The escalation is automatic and requires no manual intervention.Policy Summary
| Condition | Action | Duration | Reversible |
|---|---|---|---|
| First fraud signal | Payment blocked | 24 hours | Auto-lifted |
| Retry during 24-hr block | Payment blocked | Indefinite | Manual review only |
| Permanent block + attempt | Silent reject + alert | Indefinite | No |
| Card testing velocity | Payment blocked | 24 hours | Auto-lifted |